aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch')
-rw-r--r--meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch47
1 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch
new file mode 100644
index 0000000000..d66ac0c9ca
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch
@@ -0,0 +1,47 @@
+libpng16: Fixed an overflow in png_combine_row with very wide interlaced
+
+Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow
+vulnerability in the png_combine_row() function of the libpng library,
+when very large interlaced images were used.
+
+Upstream patch:
+http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff --git a/pngrutil.c b/pngrutil.c
+index e9fdd62..4c26be4 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
+ {
+ unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
+ png_const_bytep sp = png_ptr->row_buf + 1;
+- png_uint_32 row_width = png_ptr->width;
++ png_alloc_size_t row_width = png_ptr->width;
+ unsigned int pass = png_ptr->pass;
+ png_bytep end_ptr = 0;
+ png_byte end_byte = 0;
+@@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
+
+ /* But don't allow this number to exceed the actual row width. */
+ if (bytes_to_copy > row_width)
+- bytes_to_copy = row_width;
++ bytes_to_copy = (unsigned int)/*SAFE*/row_width;
+ }
+
+ else /* normal row; Adam7 only ever gives us one pixel to copy. */
+@@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
+ dp += bytes_to_jump;
+ row_width -= bytes_to_jump;
+ if (bytes_to_copy > row_width)
+- bytes_to_copy = row_width;
++ bytes_to_copy = (unsigned int)/*SAFE*/row_width;
+ }
+ }
+
+--
+1.9.1
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-01 15:57:24 +0000